[Cryptography] NSA voting on TLS encryption at the IETF TLS WG
Andrew Lee
andrew at joseon.com
Thu Jul 2 20:06:31 EDT 2026
I think your read is accurate, but I hope others chime in as well.
On Jul 2, 2026, at 3:40 PM, D. Hugh Redelmeier <hugh at mimosa.com> wrote:
> - the extra cost of ECC is minor (how minor?)
~100 us [1] on an old CPU and 32 bytes [2].
Best,
Andrew
[1] Nothing compared to network latency.
[2] Test here for illustrative purposes and not proper implementation (Go):
package main
import (
"crypto/ecdh"
"crypto/hkdf"
"crypto/rand"
"crypto/sha256"
"fmt"
"time"
"filippo.io/mlkem768"
)
const iterations = 10000
func solo() {
dk, _ := mlkem768.GenerateKey()
ct, _, _ := mlkem768.Encapsulate(dk.EncapsulationKey())
mlkem768.Decapsulate(dk, ct)
}
func x25519() []byte {
c := ecdh.X25519()
a, _ := c.GenerateKey(rand.Reader)
b, _ := c.GenerateKey(rand.Reader)
ss, _ := a.ECDH(b.PublicKey())
return ss
}
func hybrid() {
dk, _ := mlkem768.GenerateKey()
ct, ssKEM, _ := mlkem768.Encapsulate(dk.EncapsulationKey())
mlkem768.Decapsulate(dk, ct)
hkdf.Key(sha256.New, append(ssKEM, x25519()...), nil, "tls13 hybrid", 32)
}
func avg(fn func(), n int) time.Duration {
start := time.Now()
for i := 0; i < n; i++ {
fn()
}
return time.Since(start) / time.Duration(n)
}
func main() {
for i := 0; i < 500; i++ {
solo()
hybrid()
}
fmt.Printf("ML-KEM+X25519 cost: %v\n", avg(hybrid, iterations)-avg(solo, iterations))
}
Best,
Andrew
More information about the cryptography
mailing list